IETF Logo Mail Archive

Re: [Int-area] Re: [dhcwg] Discussion of subscriber authentication

"Julien Bournelle" <julien.bournelle@gmail.com> Fri, 30 March 2007 08:21 UTC

Return-path: <int-area-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HXCMi-0001AF-VS; Fri, 30 Mar 2007 04:21:44 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HXCMg-0001A1-En for Int-area@lists.ietf.org; Fri, 30 Mar 2007 04:21:42 -0400
Received: from ik-out-1112.google.com ([66.249.90.183]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HXCMf-0001Rk-Uf for Int-area@lists.ietf.org; Fri, 30 Mar 2007 04:21:42 -0400
Received: by ik-out-1112.google.com with SMTP id c21so347757ika for <Int-area@lists.ietf.org>; Fri, 30 Mar 2007 01:21:39 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YLaUN+8SAoQsVq5vEWlfuphdFiNXlTKscz7i4OzHalkLrdRmK7dQmApSLsreQwluVZ21lQxXmKqjieIZw+RE7urTiNmYZs2ZfsQUtNuXkEfDLKQ/ICx85btihcq5WyCTRWq1y1X96JgzG7KoMskLZSoA1LnN+YSKS1N/f/Fac9k=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ZmevmL92Jsfyqw9f6DZqel0wXCggnRj9kUqiz891ma8PhWnBUjOh/KtKXFn2dezl8/YO85PjvBBDNLC23e8tfbxhqUmjv9OFg0ST6rlC1jp2aMSEFyZzp/YmMNHlStjJrl58cxOfHm5abf3bvrYzlBilHtUon7aAJVCJW/dgonA=
Received: by 10.78.179.12 with SMTP id b12mr736111huf.1175242899031; Fri, 30 Mar 2007 01:21:39 -0700 (PDT)
Received: by 10.78.168.16 with HTTP; Fri, 30 Mar 2007 01:21:38 -0700 (PDT)
Message-ID: <5e2406980703300121l4fa1bb13xcb0eef22b40b3261@mail.gmail.com>
Date: Fri, 30 Mar 2007 10:21:38 +0200
From: Julien Bournelle <julien.bournelle@gmail.com>
To: John Schnizlein <jschnizl@cisco.com>
Subject: Re: [Int-area] Re: [dhcwg] Discussion of subscriber authentication
In-Reply-To: <CE64EC79-FA87-40F8-8731-0E346A4DBB27@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <8E296595B6471A4689555D5D725EBB2103A34015@xmb-rtp-20a.amer.cisco.com> <CE64EC79-FA87-40F8-8731-0E346A4DBB27@cisco.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 1449ead51a2ff026dcb23465f5379250
Cc: DHC WG <dhcwg@ietf.org>, "Bernie Volz (volz)" <volz@cisco.com>, Int-area@lists.ietf.org
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org

Hi,

On 3/29/07, John Schnizlein <jschnizl@cisco.com> wrote:
> The authentication in RFC 3118 (for DHCPv4) and RFC 3315 (for DHCPv6)
> is message authentication, not subscriber authentication.
>
> Message authentication is all about ensuring that the contents are
> not fake, assuming that there is enough shared trust between client
> and server host computers.  The shared trust also serves to control
> authorization to exchange DHCP messages.
>
> Subscriber authentication is about the user of network access, and
> the user is often the person who has credentials rather than the
> host, although storing user credentials on the host happens.
>
> The point of section 2.5 of draft-aboba-ip-config-00.txt is that
> these are different:
>
>    2.5.  Configuration is Not Access Control
>
>     Network access authentication is a distinct problem from Internet
>     host configuration.

 right, I don't think we should overload DHCP with subscriber authentication.

 My 2 cents,

 Julien


>
> John
>
> On Mar 29, 2007, at 2:50 PM, Bernie Volz ((volz)) wrote:
>
> > Ralph:
> >
> > Isn't this discussion a bit late given that RFC 3118 exists and RFC
> > 3315
> > contains Authentication?
> >
> > RFC 3118 abstract reads:
> >
> >    This document defines a new Dynamic Host Configuration Protocol
> >    (DHCP) option through which authorization tickets can be easily
> >    generated and newly attached hosts with proper authorization can be
> >    automatically configured from an authenticated DHCP server.  DHCP
> >    provides a framework for passing configuration information to hosts
> >    on a TCP/IP network.  In some situations, network administrators
> > may
> >    wish to constrain the allocation of addresses to authorized hosts.
> >    Additionally, some network administrators may wish to provide for
> >    authentication of the source and contents of DHCP messages.
> >
> > Other than the data used to authenticate (which in this case is a
> > username and password, instead of a shared secret), what really is the
> > difference? I guess it all depends on what "authorized" hosts means.
> >
> > RFC 3118 does have issues as it is difficult to handle client
> > authentication without exposing the client's identity (since
> > there's no
> > good way to "delay" the authentication) -- this is discussed in
> > draft-ietf-dhc-v4-threat-analysis-03.txt, section 5.
> >
> > One additional flaw with Rick draft's is that there's no provision to
> > authenticate the server -- which means that if a client doing this is
> > mobile and attaches to other networks, it may expose the username and
> > password.
> >
> > I think Ted Lemon's point that Ric's draft should stick to the DHC
> > client/server authentication communication and not mention how other
> > network elements may use the end result of the DHCP exchange (i.e.,
> > the
> > "authorization" to use the network). See
> > http://www1.ietf.org/mail-archive/web/dhcwg/current/msg07138.html.
> >
> > If we could work this out within the RFC 3118 framework, it certainly
> > would kick start DHCP authentication.
> >
> > - Bernie
> >
> > -----Original Message-----
> > From: Ralph Droms (rdroms)
> > Sent: Thursday, March 29, 2007 1:47 PM
> > To: Int-area@lists.ietf.org
> > Subject: [dhcwg] Discussion of subscriber authentication
> >
> > At the dhc WG meeting in Prague, there was a discussion of "subscriber
> > authentication" and how that function might be provided through DHCP.
> > Ric
> > Pruss gave a presentation about a proposal for subscriber
> > authentication
> > through DHCP:
> >
> > http://www3.ietf.org/proceedings/07mar/slides/dhc-2.pdf
> > http://www.ietf.org/internet-drafts/draft-pruss-dhcp-auth-dsl-00.txt
> >
> > There is a related draft that was not discussed at the dhc WG meeting:
> >
> > http://www.ietf.org/internet-drafts/draft-zhao-dhc-user-
> > authentication-0
> > 1.tx
> > t
> >
> > There was also a discussion of "Principles of Internet Host
> > Configuration".
> > Dave Thaler gave a presentation about the draft he co-authored with
> > Bernard
> > Aboba:
> >
> > http://www3.ietf.org/proceedings/07mar/slides/dhc-7.pdf
> > http://www.ietf.org/internet-drafts/draft-aboba-ip-config-00.txt
> >
> > During the discussion of subscriber authentication, it was noted that
> > the
> > proposed solutions assume that DHCP is the right vehicle through which
> > subscriber authentication should take place.  That assumption needs to
> > be
> > further examined; PANA, for example, provides an alternative solution
> > which
> > does not depend on DHCP.  Before the IETF proceeds with a DHCP-based
> > solution, we need to discuss the broader issue of where subscriber
> > authentication should be implemented.
> >
> > Accordingly, the Internet Area directors and the WG chairs have
> > decided
> > to
> > move the discussion of subscriber authentication to the int-area
> > mailing
> > list.  This discussion will explore the subscriber authentication
> > problem
> > space and requirements, to come to some initial consensus about
> > where a
> > solution might belong.
> >
> > To kick off the discussion, we are trying to get permission to publish
> > subscriber authentication requirements from the DSL Forum.
> >
> > I've included dhcwg@ietf.org as a BCC to this note, to inform the
> > dhc WG
> > members that further discussion of subscriber authentication will move
> > to
> > int-area@lists.ietf.org.  I've also included secdir@mit.edu as a
> > BCC, to
> > make sure we have appropriate security clue in the discussion.
> >
> > - Ralph
> >
> >
> >
> >
> > _______________________________________________
> > dhcwg mailing list
> > dhcwg@ietf.org
> > https://www1.ietf.org/mailman/listinfo/dhcwg
> >
> > _______________________________________________
> > dhcwg mailing list
> > dhcwg@ietf.org
> > https://www1.ietf.org/mailman/listinfo/dhcwg
>
> _______________________________________________
> Int-area mailing list
> Int-area@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/int-area
>

_______________________________________________
Int-area mailing list
Int-area@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email